HIPAA Changes Go Into Effect on September 23, 2013 – Is Your Pharmacy Ready?
An overview of some changes to HIPAA and resources to help you ensure your pharmacy’s compliance.
Note: The content provided here is purely for informational purposes and does not constitute legal advice. You are solely responsible for investigating and complying with all applicable laws, rules and regulations that govern the operation of your business. If you need legal advice, contact your attorney.
When Did HIPAA Change? When Do the Changes Go into Effect?
HIPAA (the Health Insurance Portability and Accountability Act) was originally enacted in August 1996. In August 2002, the Department of Health and Human Services (HHS) publicized the national standards for the electronic exchange, privacy and security of certain individually identifiable health information.
Effective March 26, 2013, HIPAA and the associated Privacy Rule have undergone their most significant update. Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Omnibus Final Privacy Rule with respect to voluntary compliance activities and civil money penalties.[i] HHS states the purpose of the Omnibus Final Rule is to strengthen the privacy and security protections for individuals’ health information, to modify rules dealing with breach notification, and to increase the flexibility and decrease the burden on regulated entities. A major goal is to strike a balance that permits the use of important information to provide and promote high-quality healthcare, while protecting the privacy of people who seek care and healing.[ii]
Covered entities, including most pharmacies, must comply with applicable requirements and update associated policies and procedures (P&P) by September 23, 2013.
What Specifically Has Changed?
On the website HIPAA Survival Guide (www.hipaasurvivalguide.com), lawyer Carlos Leyva emphasized that much of the Omnibus Rule is not new rulemaking, but is finalization of interim rules.[iii] A few of the important changes include:
|Area of Change||Description of Change|
|Definitions||There are changes in the definitions of some terms such as “business associate” and “protected health information” (PHI). The most significant change is to “business associates,” who are contractors and sub-contractors of covered entities with access to PHI. Covered entities are now required to obtain “satisfactory assurances” from their business associates that PHI will be protected by them (and business associates must provide the same assurances from their business associates), ensuring a chain of assurances.As a result, existing business associate agreements will need to be evaluated and may need to be modified. Information about business associate agreements, including some sample provisions, is available from HHS on the HHS website.|
|Enforcement Rule||The Enforcement Rule has been strengthened, penalties have been significantly increased, and OCR’s enforcement activity is being stepped up. Audits were previously complaint-driven but will now be proactive. HHS has made audit protocols available as a resource.|
|Security Rule||Changes to the Security Rule deal with incremental adjustments to existing HIPAA security rules and relatively modest changes to security practices.|
|Privacy Rule||Extensive changes were made to the Privacy Rule. Here’s a little more information on just some of the changes:NPP (Notice of Privacy Practices)|
PHI (Personal Health Information)
|Breach Notification Rule||Per the HITECH Act, a covered entity must provide notification of discovery of a breach of unsecured PHI to affected individuals. The requirements for reporting a breach [the unauthorized acquisition, access or use of PHI that compromises its security or privacy (e.g., lost or stolen PHI)] have been strengthened.Pharmacies, if they haven’t already, may need to modify the risk assessment tools they use to look at potential or actual PHI breaches (e.g., NPP, risk analysis, risk management plan, disaster recovery plan). The pharmacy will also need to evaluate its training on detecting and reporting incidents, breaches and violations of HIPAA.|
The documents explaining these new rules are more than 500 pages, meaning that this short summary barely touches the surface of what has changed. It is important to realize that there are many changes in HIPAA’s privacy, security, breach notification and enforcement rules. There will be proactive audits, more audits and stiffer penalties for non-compliance. Covered entities, including pharmacies, must comply by September 23, 2013.
Steps for Pharmacies
Actions that pharmacies can benefit from include:
- Becoming informed. The new HIPAA rules are lengthy and technical. While committing all 500 pages to memory is unrealistic, it is still beneficial to have a basic working knowledge of these rules. A wealth of resources is available to assist pharmacists, with some resources provided below.
- Getting legal advice. To ensure compliance, nothing replaces getting expert legal advice that is specific to your pharmacy. To comply with HIPAA, work with your attorney and other consultants as necessary to review and update your Notice of Privacy practice and other HIPAA-related policies, forms, agreements and documents.
- Having staff members go through training. All employees with access to PHI need to complete training on HIPAA’s new requirements by September 23, 2013. (Information on training resources is provided below.)
- Modifying necessary forms and documents. Business associate agreements and other forms and documents may need to be revised in order to be compliant.
A host of resources is available with background information about HIPAA, information about steps necessary to comply, training programs, and more. (Please note that by listing these resources and providing links, McKesson is in no way endorsing these sites or vouching for the accuracy of their content.)
HIPAA Background and Compliance Information
- Department of Health & Human Services, Guidance Materials for Covered Entities
- HIPAA Survival Guide, HIPAA Omnibus Rule Summary
- Pharmacist’s Letter, HIPAA Made Simple: A Survival Guide
- Pharmacist’s Letter, HIPAA & Privacy 2013: A Survival Guide to the Law
- Implementing HIPAA Privacy Regulation in Pharmacy Practice, Journal of American Pharmacists Association
- Pharmacy’s HIPAA Compliance Deadline Arrives, American Pharmacists Association
- Paul J. Breaux, Ltd., Start-Up Checklist for Your Pharmacy’s HIPAA Compliance
- SP Central HIPAA Compliance Forms from ScriptPro®
- HIPAA, HITECH, the Omnibus Rule and the Pharmacy Practice (for Health Mart® members at no cost as part of Health Mart University)
- HIPAATrack from PRS Pharmacy Services
- HIPAA Training Handbook for Pharmacy Staff from HCPro
- HIPAA Survival Guide Training Modules by HIPAA Survival Guide